iptables -F

# tout rejeter (par défaut)
iptables -P INPUT   DROP 
iptables -P FORWARD DROP 
iptables -P OUTPUT  DROP

# accepter les paquets de la boucle locale
iptables -t filter -A INPUT  -s 127.0.0.1 -i lo -j ACCEPT 
iptables -t filter -A OUTPUT -s 127.0.0.1       -j ACCEPT 

# autoriser les connections déjà établies
iptables -t filter -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# autorisation des icmp en local
iptables -t filter -A INPUT  -s 192.168.0.0/24 -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -s 192.168.0.0/24 -p icmp -j ACCEPT

# anti scan
iptables -A INPUT -i eth0 -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL                 -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE                -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST         -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,ACK,FIN,RST RST     -j DROP

# make sure NEW incoming tcp connections are SYN packets
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# packets with incoming fragments
iptables -A INPUT -f -j DROP

# incoming malformed XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# incoming malformed NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# autoriser les services web
iptables -t filter -A INPUT  -p tcp --dport 21   -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 21   -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53   -j ACCEPT
iptables -t filter -A INPUT  -p tcp --dport 25   -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 25   -j ACCEPT
iptables -t filter -A INPUT  -p tcp --dport 80   -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 80   -j ACCEPT
iptables -t filter -A INPUT  -p tcp --dport 443  -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443  -j ACCEPT
iptables -t filter -A INPUT  -p tcp --dport 1234 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 1234 -j ACCEPT
iptables -t filter -A INPUT  -p tcp --dport 3690 -j ACCEPT

# loging
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
